From: Qian Cai <quic_qiancai@quicinc.com>
To: Lu Baolu <baolu.lu@linux.intel.com>
Cc: Joerg Roedel <joro@8bytes.org>, Jason Gunthorpe <jgg@nvidia.com>,
"Kevin Tian" <kevin.tian@intel.com>,
Liu Yi L <yi.l.liu@intel.com>, <iommu@lists.linux-foundation.org>,
<linux-kernel@vger.kernel.org>
Subject: Re: [RESEND PATCH v8 00/11] Fix BUG_ON in vfio_iommu_group_notifier()
Date: Mon, 2 May 2022 12:12:04 -0400 [thread overview]
Message-ID: <20220502161204.GA22@qian> (raw)
In-Reply-To: <20220418005000.897664-1-baolu.lu@linux.intel.com>
On Mon, Apr 18, 2022 at 08:49:49AM +0800, Lu Baolu wrote:
> Hi Joerg,
>
> This is a resend version of v8 posted here:
> https://lore.kernel.org/linux-iommu/20220308054421.847385-1-baolu.lu@linux.intel.com/
> as we discussed in this thread:
> https://lore.kernel.org/linux-iommu/Yk%2Fq1BGN8pC5HVZp@8bytes.org/
>
> All patches can be applied perfectly except this one:
> - [PATCH v8 02/11] driver core: Add dma_cleanup callback in bus_type
> It conflicts with below refactoring commit:
> - 4b775aaf1ea99 "driver core: Refactor sysfs and drv/bus remove hooks"
> The conflict has been fixed in this post.
>
> No functional changes in this series. I suppress cc-ing this series to
> all v8 reviewers in order to avoid spam.
>
> Please consider it for your iommu tree.
Reverting this series fixed an user-after-free while doing SR-IOV.
BUG: KASAN: use-after-free in __lock_acquire
Read of size 8 at addr ffff080279825d78 by task qemu-system-aar/22429
CPU: 24 PID: 22429 Comm: qemu-system-aar Not tainted 5.18.0-rc5-next-20220502 #69
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
print_address_description.constprop.0
print_report
kasan_report
__asan_report_load8_noabort
__lock_acquire
lock_acquire.part.0
lock_acquire
_raw_spin_lock_irqsave
arm_smmu_detach_dev
arm_smmu_detach_dev at drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:2377
arm_smmu_attach_dev
__iommu_attach_group
__iommu_attach_device at drivers/iommu/iommu.c:1942
(inlined by) iommu_group_do_attach_device at drivers/iommu/iommu.c:2058
(inlined by) __iommu_group_for_each_dev at drivers/iommu/iommu.c:989
(inlined by) __iommu_attach_group at drivers/iommu/iommu.c:2069
iommu_group_release_dma_owner
__vfio_group_unset_container
vfio_group_try_dissolve_container
vfio_group_put_external_user
kvm_vfio_destroy
kvm_destroy_vm
kvm_vm_release
__fput
____fput
task_work_run
do_exit
do_group_exit
get_signal
do_signal
do_notify_resume
el0_svc
el0t_64_sync_handler
el0t_64_sync
Allocated by task 22427:
kasan_save_stack
__kasan_kmalloc
kmem_cache_alloc_trace
arm_smmu_domain_alloc
iommu_domain_alloc
vfio_iommu_type1_attach_group
vfio_ioctl_set_iommu
vfio_fops_unl_ioctl
__arm64_sys_ioctl
invoke_syscall
el0_svc_common.constprop.0
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
Freed by task 22429:
kasan_save_stack
kasan_set_track
kasan_set_free_info
____kasan_slab_free
__kasan_slab_free
slab_free_freelist_hook
kfree
arm_smmu_domain_free
arm_smmu_domain_free at iommu/arm/arm-smmu-v3/arm-smmu-v3.c:2067
iommu_domain_free
vfio_iommu_type1_detach_group
__vfio_group_unset_container
vfio_group_try_dissolve_container
vfio_group_put_external_user
kvm_vfio_destroy
kvm_destroy_vm
kvm_vm_release
__fput
____fput
task_work_run
do_exit
do_group_exit
get_signal
do_signal
do_notify_resume
el0_svc
el0t_64_sync_handler
el0t_64_sync
WARNING: multiple messages have this Message-ID (diff)
From: Qian Cai <quic_qiancai@quicinc.com>
To: Lu Baolu <baolu.lu@linux.intel.com>
Cc: Kevin Tian <kevin.tian@intel.com>,
linux-kernel@vger.kernel.org, iommu@lists.linux-foundation.org,
Jason Gunthorpe <jgg@nvidia.com>
Subject: Re: [RESEND PATCH v8 00/11] Fix BUG_ON in vfio_iommu_group_notifier()
Date: Mon, 2 May 2022 12:12:04 -0400 [thread overview]
Message-ID: <20220502161204.GA22@qian> (raw)
In-Reply-To: <20220418005000.897664-1-baolu.lu@linux.intel.com>
On Mon, Apr 18, 2022 at 08:49:49AM +0800, Lu Baolu wrote:
> Hi Joerg,
>
> This is a resend version of v8 posted here:
> https://lore.kernel.org/linux-iommu/20220308054421.847385-1-baolu.lu@linux.intel.com/
> as we discussed in this thread:
> https://lore.kernel.org/linux-iommu/Yk%2Fq1BGN8pC5HVZp@8bytes.org/
>
> All patches can be applied perfectly except this one:
> - [PATCH v8 02/11] driver core: Add dma_cleanup callback in bus_type
> It conflicts with below refactoring commit:
> - 4b775aaf1ea99 "driver core: Refactor sysfs and drv/bus remove hooks"
> The conflict has been fixed in this post.
>
> No functional changes in this series. I suppress cc-ing this series to
> all v8 reviewers in order to avoid spam.
>
> Please consider it for your iommu tree.
Reverting this series fixed an user-after-free while doing SR-IOV.
BUG: KASAN: use-after-free in __lock_acquire
Read of size 8 at addr ffff080279825d78 by task qemu-system-aar/22429
CPU: 24 PID: 22429 Comm: qemu-system-aar Not tainted 5.18.0-rc5-next-20220502 #69
Call trace:
dump_backtrace
show_stack
dump_stack_lvl
print_address_description.constprop.0
print_report
kasan_report
__asan_report_load8_noabort
__lock_acquire
lock_acquire.part.0
lock_acquire
_raw_spin_lock_irqsave
arm_smmu_detach_dev
arm_smmu_detach_dev at drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c:2377
arm_smmu_attach_dev
__iommu_attach_group
__iommu_attach_device at drivers/iommu/iommu.c:1942
(inlined by) iommu_group_do_attach_device at drivers/iommu/iommu.c:2058
(inlined by) __iommu_group_for_each_dev at drivers/iommu/iommu.c:989
(inlined by) __iommu_attach_group at drivers/iommu/iommu.c:2069
iommu_group_release_dma_owner
__vfio_group_unset_container
vfio_group_try_dissolve_container
vfio_group_put_external_user
kvm_vfio_destroy
kvm_destroy_vm
kvm_vm_release
__fput
____fput
task_work_run
do_exit
do_group_exit
get_signal
do_signal
do_notify_resume
el0_svc
el0t_64_sync_handler
el0t_64_sync
Allocated by task 22427:
kasan_save_stack
__kasan_kmalloc
kmem_cache_alloc_trace
arm_smmu_domain_alloc
iommu_domain_alloc
vfio_iommu_type1_attach_group
vfio_ioctl_set_iommu
vfio_fops_unl_ioctl
__arm64_sys_ioctl
invoke_syscall
el0_svc_common.constprop.0
do_el0_svc
el0_svc
el0t_64_sync_handler
el0t_64_sync
Freed by task 22429:
kasan_save_stack
kasan_set_track
kasan_set_free_info
____kasan_slab_free
__kasan_slab_free
slab_free_freelist_hook
kfree
arm_smmu_domain_free
arm_smmu_domain_free at iommu/arm/arm-smmu-v3/arm-smmu-v3.c:2067
iommu_domain_free
vfio_iommu_type1_detach_group
__vfio_group_unset_container
vfio_group_try_dissolve_container
vfio_group_put_external_user
kvm_vfio_destroy
kvm_destroy_vm
kvm_vm_release
__fput
____fput
task_work_run
do_exit
do_group_exit
get_signal
do_signal
do_notify_resume
el0_svc
el0t_64_sync_handler
el0t_64_sync
_______________________________________________
iommu mailing list
iommu@lists.linux-foundation.org
https://lists.linuxfoundation.org/mailman/listinfo/iommu
next prev parent reply other threads:[~2022-05-02 16:12 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-18 0:49 [RESEND PATCH v8 00/11] Fix BUG_ON in vfio_iommu_group_notifier() Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 01/11] iommu: Add DMA ownership management interfaces Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-06-15 9:53 ` Steven Price
2022-06-15 9:53 ` Steven Price
2022-06-15 10:57 ` Robin Murphy
2022-06-15 10:57 ` Robin Murphy
2022-06-15 15:09 ` Steven Price
2022-06-15 15:09 ` Steven Price
2022-04-18 0:49 ` [RESEND PATCH v8 02/11] driver core: Add dma_cleanup callback in bus_type Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 03/11] amba: Stop sharing platform_dma_configure() Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 04/11] bus: platform,amba,fsl-mc,PCI: Add device DMA ownership management Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 04/11] bus: platform, amba, fsl-mc, PCI: " Lu Baolu
2023-06-26 13:02 ` Zenghui Yu
2023-06-28 14:36 ` Jason Gunthorpe
2023-06-29 2:55 ` Zenghui Yu
2022-04-18 0:49 ` [RESEND PATCH v8 05/11] PCI: pci_stub: Set driver_managed_dma Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 06/11] PCI: portdrv: " Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 07/11] vfio: Set DMA ownership for VFIO devices Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 08/11] vfio: Remove use of vfio_group_viable() Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 09/11] vfio: Delete the unbound_list Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:49 ` [RESEND PATCH v8 10/11] vfio: Remove iommu group notifier Lu Baolu
2022-04-18 0:49 ` Lu Baolu
2022-04-18 0:50 ` [RESEND PATCH v8 11/11] iommu: Remove iommu group changes notifier Lu Baolu
2022-04-18 0:50 ` Lu Baolu
2022-04-28 9:32 ` [RESEND PATCH v8 00/11] Fix BUG_ON in vfio_iommu_group_notifier() Joerg Roedel
2022-04-28 9:32 ` Joerg Roedel
2022-04-28 11:54 ` Jason Gunthorpe
2022-04-28 11:54 ` Jason Gunthorpe via iommu
2022-04-28 13:34 ` Joerg Roedel
2022-04-28 13:34 ` Joerg Roedel
2022-05-02 16:12 ` Qian Cai [this message]
2022-05-02 16:12 ` Qian Cai
2022-05-02 16:42 ` Jason Gunthorpe
2022-05-02 16:42 ` Jason Gunthorpe via iommu
2022-05-03 13:04 ` Robin Murphy
2022-05-03 13:04 ` Robin Murphy
2022-05-03 15:23 ` Jason Gunthorpe
2022-05-03 15:23 ` Jason Gunthorpe via iommu
2022-05-03 17:22 ` Robin Murphy
2022-05-03 17:22 ` Robin Murphy
2022-05-04 8:42 ` Joerg Roedel
2022-05-04 8:42 ` Joerg Roedel
2022-05-04 11:51 ` Jason Gunthorpe
2022-05-04 11:51 ` Jason Gunthorpe via iommu
2022-05-04 11:57 ` Joerg Roedel
2022-05-04 11:57 ` Joerg Roedel
2022-05-09 18:33 ` Jason Gunthorpe
2022-05-09 18:33 ` Jason Gunthorpe via iommu
2022-05-13 8:13 ` Tian, Kevin
2022-05-13 8:13 ` Tian, Kevin
2022-05-04 16:29 ` Alex Williamson
2022-05-04 16:29 ` Alex Williamson
2022-05-13 15:49 ` Joerg Roedel
2022-05-13 15:49 ` Joerg Roedel
2022-05-13 16:25 ` Alex Williamson
2022-05-13 16:25 ` Alex Williamson
2022-05-13 19:06 ` Jason Gunthorpe
2022-05-13 19:06 ` Jason Gunthorpe via iommu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220502161204.GA22@qian \
--to=quic_qiancai@quicinc.com \
--cc=baolu.lu@linux.intel.com \
--cc=iommu@lists.linux-foundation.org \
--cc=jgg@nvidia.com \
--cc=joro@8bytes.org \
--cc=kevin.tian@intel.com \
--cc=linux-kernel@vger.kernel.org \
--cc=yi.l.liu@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.